Advisory:
========================

Updated libarchive packages fix security vulnerabilities:

libarchive contains an out-of-bounds read vulnerability in 7zip decompression,
archive_read_support_format_7zip.c, header_bytes() that can result in a crash
(denial of service). This attack appears to be exploitable via the victim
opening a specially crafted 7zip file (CVE-2019-1000019).

libarchive contains an infinite loop vulnerability in the ISO9660 parser,
archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can
result in DoS by infinite loop. This attack appears to be exploitable via the
victim opening a specially crafted ISO9660 file (CVE-2019-1000020).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000020
https://usn.ubuntu.com/3884-1/
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.3.1-1.5.mga6
libarchive-devel-3.3.1-1.5.mga6
bsdtar-3.3.1-1.5.mga6
bsdcpio-3.3.1-1.5.mga6
bsdcat-3.3.1-1.5.mga6

from libarchive-3.3.1-1.5.mga6.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Used tests as in bug24075 Comment 5
$ cd Afbeeldingen/
$ ls
001rgba.tiff   34815267.pcx     gray1dit.tif                       P7212390.ORF
001.tif*       34815267.png     gray1.jpg                          P7212390.ORF.pp3
002.tif*       34815267.ps      gray1.tif                          P7212391.ORF
003.tif*       34815321.jpg     gray2.jpg                          P7212392.ORF
004.tif*       34815321rot.png  heap-buffer-overflow-readbmpimage  RawLen/
...and more in total 56 objects
$ bsdtar -c -f ~/archtar *
checked archtar with engrampa: all is there
$ cd ../tmp
$ bsdtar -x -f /home/tester6/archtar 
checked pictures in tmp: all OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

mga6, x86_64
A couple of POC available.

https://github.com/libarchive/libarchive/pull/1120

*Before updating*

CVE-2019-1000019
$ xxd -r crash.7z.txt crash.7z
$ bsdtar -xf crash.7z
Segmentation fault (core dumped)

CVE-2019-1000020
$ xxd -r rrforever.iso.txt rrforever.iso
$ bsdtar -xf rrforever.iso
Hung.....

Updated the packages.
- bsdcat-3.3.1-1.5.mga6.x86_64
- bsdcpio-3.3.1-1.5.mga6.x86_64
- bsdtar-3.3.1-1.5.mga6.x86_64
- lib64archive-devel-3.3.1-1.5.mga6.x86_64
- lib64archive13-3.3.1-1.5.mga6.x86_64
- lib64avahi-client-devel-0.6.32-1.1.mga6.x86_64

* After updating *

$ bsdtar -xf crash.7z
bsdtar: Damaged 7-Zip archive
bsdtar: Error exit delayed from previous errors.

$ bsdtar -xf rrforever.iso
bsdtar: Tried to parse Rockridge extensions, but none found
bsdtar: Error exit delayed from previous errors.

Those are good.

Following Herman's lead:
$ du -hs .
67M	.
$ cd ..
$ bsdtar -cf qatest libarchive
$ ll qatest
-rw-r--r-- 1 lcl lcl 69567488 Feb 11 17:20 qatest
$ engrampa qatest
< contents OK >
$ bsdtar -tf qatest
libarchive/
[...]
$ bsdtar -xf qatest
$ ls libarchive
crash.7z         oob.iso  report.24337       temp/
crash.7z.txt     oob.lha  rrforever.iso      vgcore.31453
hardware.txt.gz  report   rrforever.iso.txt
$ temp/checkmydiary
Displayed imminent events in a popup.

Good for 64-bits.

CC: (none) => tarazed25

Looks good to me, guys. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0074.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED